Phishing is a form of fraud in which an attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in electronic mail (e-mail), instant messaging (IM), or other communication channels. Spear phishing is a type of phishing that targets a specific organization, seeking unauthorized access to confidential data. Spear-phishing attempts may be conducted, for example, by perpetrators out for financial gain, trade secrets, and/or military information.
As with e-mail messages used in regular phishing expeditions, spear-phishing messages appear to come from a trusted source. Phishing messages might appear to come from a large and well-known company or web site with a broad membership base, such as eBay™ or PayPal™. In the case of spear-phishing, however, the apparent source of the e-mail may be an individual within the recipient's own company and/or someone in a position of authority.
The following is one example of a spear-phishing attack. A perpetrator finds a web page of their target organization that supplies contact information for a group of employees of the target organization. Using available details to make the message appear authentic, the perpetrator drafts an e-mail to an employee included on the contact page. The e-mail appears to come from an individual who might reasonably request confidential information, such as a network administrator. The e-mail asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming onto the employee's computer. If a single employee falls for the spear-phisher's ploy, the attacker can masquerade as that employee and use social engineering techniques to gain further access to sensitive data.